Login

RHEL 5 : samba3x (RHSA-2016:0624) (Badlock)

Medium Nessus Plugin ID 90500

Synopsis

The remote Red Hat host is missing one or more security updates.

Description

An update for samba3x is now available for Red Hat Enterprise Linux5.6 Long Life and Red Hat Enterprise Linux 5.9 Long Life.Red Hat Product Security has rated this update as having a securityimpact of Critical. A Common Vulnerability Scoring System (CVSS) basescore, which gives a detailed severity rating, is available for eachvulnerability from the CVE link(s) in the References section.Samba is an open source implementation of the Server Message Block(SMB) or Common Internet File System (CIFS) protocol, which allowsPC-compatible machines to share files, printers, and otherinformation.Security Fix(es) :* Multiple flaws were found in Samba's DCE/RPC protocolimplementation. A remote, authenticated attacker could use these flawsto cause a denial of service against the Samba server (high CPU loador a crash) or, possibly, execute arbitrary code with the permissionsof the user running Samba (root). This flaw could also be used todowngrade a secure DCE/RPC connection by a man-in-the-middle attackertaking control of an Active Directory (AD) object and compromising thesecurity of a Samba Active Directory Domain Controller (DC).(CVE-2015-5370)Note: While Samba packages as shipped in Red Hat Enterprise Linux donot support running Samba as an AD DC, this flaw applies to all rolesSamba implements.* A protocol flaw, publicly referred to as Badlock, was found in theSecurity Account Manager Remote Protocol (MS-SAMR) and the LocalSecurity Authority (Domain Policy) Remote Protocol (MS-LSAD). Anyauthenticated DCE/RPC connection that a client initiates against aserver could be used by a man-in-the-middle attacker to impersonatethe authenticated user against the SAMR or LSA service on the server.As a result, the attacker would be able to get read/write access tothe Security Account Manager database, and use this to reveal allpasswords or any other potentially sensitive information in thatdatabase. (CVE-2016-2118)* Several flaws were found in Samba's implementation of NTLMSSPauthentication. An unauthenticated, man-in-the-middle attacker coulduse this flaw to clear the encryption and integrity flags of aconnection, causing data to be transmitted in plain text. The attackercould also force the client or server into sending data in plain texteven if encryption was explicitly requested for that connection.(CVE-2016-2110)* It was discovered that Samba configured as a Domain Controller wouldestablish a secure communication channel with a machine using aspoofed computer name. A remote attacker able to observe networktraffic could use this flaw to obtain session-related informationabout the spoofed machine. (CVE-2016-2111)* It was found that Samba's LDAP implementation did not enforceintegrity protection for LDAP connections. A man-in-the-middleattacker could use this flaw to downgrade LDAP connections to use nointegrity protection, allowing them to hijack such connections.(CVE-2016-2112)* It was found that Samba did not enable integrity protection for IPCtraffic by default. A man-in-the-middle attacker could use this flawto view and modify the data sent between a Samba server and a client.(CVE-2016-2115)Red Hat would like to thank the Samba project for reporting theseissues. Upstream acknowledges Jouni Knuutinen (Synopsis) as theoriginal reporter of CVE-2015-5370; and Stefan Metzmacher (SerNet) asthe original reporter of CVE-2016-2118, CVE-2016-2110, CVE-2016-2112,and CVE-2016-2115.